NAS vendors suggest that customers can run applications on their NASes such as Wordpress and other things. However, maintaining security of such an app (especially internet-facing) is actually very difficult.
For one, the applications from QNAP AppCenter are hit or miss. For instance, Wordpress there is >2 years old and has known vulnerabilities. Tailscale there is 1.40.*, initial release version, hasn’t been updated ever since the release. That is despite the fact that Tailscale actually offers QNAP application packages much newer than what’s available in the App Center.
I brought this up with QNAP customer support, but the issue is still unresolved, it looks to me that any partner application (not provided directly by the NAS vendor) is maintained on the best effort basis with no particular expectation that the app will receive any security updates in a timely fashion.
I wonder if it would be a good idea to make a tutorial video about best practices when running applications on NAS. I believe many people don’t even realise the risks involved when runnning some apps from a NAS app-store compared to App Stores offered by big tech for mobile platforms or Mac/Windows.
Running self-managed apps via Kubernetes? Is that an answer?
It’s okay to run apps from NAS app store which Synology / QNAP / … offer themselves as a vendor and who’s reputation is behind it.
Partner apps are sketchy in QNAP, don’t know about Synology, might be also poorly maintained or pulled out at any time. I wouldn’t trust it to run anything like that if it’s internet facing. Might be reasonably okay if it’s behind some VPN / Tailsale. Still, these app stores appear to have very little engineering / maintenance behind them.
I’d run stateful third party apps (like databases) in containers / VMs if I understand the upgrade and backup-to-cloud path. Most common would be some form of DEB/RPM packaging which I’d just pull from the repository for updates and some automation (maybe as simple as a container with a cron job) for backups.
I’d run Containers if they are stateless, so I don’t need to think how to keep my data. I’d just run something and when I need to, I’d simply rebuild an updated version from the vendor (most often just pulling it from DockerHub)